Workflow

Incident intake connectors

How to bring incidents from Jira, ServiceNow, PagerDuty, SIEM, or generic webhooks into OneComply without losing review control.

Owner: Product + Security EngineeringLast reviewed: 2026-05-31

Default mode

Review

Safer than auto-create

Auth

HMAC

Timestamped request signing

Payload cap

256 KB

Rejects oversized events

Noise control

Auto-disable

For repeated bad events

When to use incident intake

Use incident intake when an external tool is the first place where operational events are created. OneComply normalises each event into the incident workflow so DORA/NIS2 deadlines, owners, evidence, and audit trails can be managed centrally.

  • Pull into OneComply - Jira, ServiceNow, PagerDuty, SIEM, or any webhook source sends candidate incidents.
  • Review before creation - recommended for regulated reporting because not every alert is a reportable incident.
  • Auto-create - use only after source filters and dedupe keys have been proven in staging or review mode.

Setup steps

  1. Open Dashboard > Integrations > Incident intake.
  2. Create a source and choose the provider type.
  3. Keep mode as Review required until incoming events are clean.
  4. Copy the webhook URL and one-time signing secret.
  5. Configure the external tool to send JSON with a stable external incident ID, title, detected time, severity, and status.
  6. Sign every request with the timestamped HMAC header shown in the integration page.
  7. Send a test event, then promote or reject it from the review queue.

Recommended source filters

Filter heartbeat events, low-severity alerts, closed test tickets, and duplicate update notifications before they reach OneComply. Use a stable provider event ID so retries are deduplicated.

What happens to incoming events

  1. Signature check - invalid or replayed signatures are rejected before database writes.
  2. Payload limit - oversized requests are rejected at 256 KB.
  3. Budget check - source-hour and org-day limits prevent unbounded event ingestion.
  4. Normalisation - OneComply extracts title, detected time, severity, status, affected systems, DORA references, and source URL.
  5. Quarantine - missing mandatory data becomes a quarantined event, not a reportable incident.
  6. Review or promote - reviewers promote valid events to incidents or reject non-relevant events.

Cost and noise safeguards

  • A source that exceeds the hourly intake limit is automatically disabled and must be reviewed before re-enabling.
  • An organisation that exceeds the daily intake budget receives 429 responses until the window clears.
  • A source with repeated quarantined events is disabled because it likely has a mapping or filter problem.
  • Old rejected, duplicate, failed, and quarantined events without linked incidents are removed by a daily cleanup job.
  • Promoted incident provenance is retained so auditors can trace source event to incident record.

Operational response if a source is disabled

  1. Open Dashboard > Integrations and find the disabled incident intake source.
  2. Read the last error and review the most recent quarantined events.
  3. Fix source filtering, field mapping, or signature configuration in the external tool.
  4. Send one valid test event.
  5. Re-enable the source only after the test event reaches the review queue cleanly.

Continue reading

Incident Reporting

How promoted events become managed incidents.

Troubleshooting

Customer-safe fixes for noisy connectors.

Security Model

How inbound integrations are authenticated.